July 19, 2013

Protecting Patient Privacy

Why the medical community needs to take greater precaution in keeping records secure

In this issue we will discuss the measures that medical organizations should be taking to prevent document exposure.

For patients, confidentiality isn’t a privilege or a nice-to-have—it’s a right. With medical records containing everything from medical history to financial reports to personal contact information, ensuring that documents are stored and disposed of securely is of the utmost importance, both ethically and legally. In the United States, information collected by healthcare organizations on individuals is protected by the Health Insurance Portability and Accountability Act.

However, recent media reports have shown that patient record security needs to be improved. In July, a federal grand jury indicted a former employee of University of Maryland Medical Center, with three others accused, for stealing patient identities to open credit accounts. A similar situation occurred recently at the Troy Regional Medical Center in Alabama in which 880 patients were notified about a data breach of personal information, including birthdays and social security numbers.

These instances are becoming more and more common, leading to widespread feelings of concern. According to the Healthcare Information and Management Systems Society, breaches are three times more likely to happen in a larger organization than in a small office—a fact that threatens not only confidentiality, but also the integrity of the medical community.

1. Why do medical record breaches happen?

There are many causes of a potential confidentiality breach. Among them are:

  • Unsupervised Access - Often unsupervised medical files are left in file rooms, on desks and in door folders.
  • Lack of training - Staff are not trained on what patient information should be protected and securely destroyed.
  • Lack of focus on the importance of document disposal - Some healthcare facilities have their own in-house document destruction facilities due to budgetary concerns or limited resources. There may be times when the hospital can’t keep up with its document destruction requirements, and this backlog could provide opportunities for fraudsters to get a hold of information.
  • Internal fraud - In a hospital many people, from doctors to nurses to lab technicians and others, may have access to patients’ confidential information. While most employees would never use this information for fraudulent purposes some may, either exploiting it or leaking it to other employees

In the recent Shred-it Information Security Tracker, responses from individuals working in the medical sector showed that:

  • While 67 per cent of medical professionals are aware of their legal obligations regarding patient document security, 31 per cent claim that staff are only trained on proper protocol on an ad hoc basis.
  • 42 per cent of medical professionals said their organization did not provide secure document destruction facilities.
  • Only 33 per cent of medical professionals confirmed that their companies had conducted an information security audit within the past 6 months.
2. What’s the solution for preventing breaches?

The main way to prevent breaches from happening is to make document security a priority. While budgetary constraints or lack of knowledge may be a contributing factor to these lapses, the repercussions that result from a data breach are too damaging to ignore. Other options to consider include:

  • Restrict access to patient information to necessary personnel.
  • Develop an effective training program to ensure that all staff are well informed on how to destroy documents and why this process is important.
  • Provide a secure document disposal receptacle where required, such as at each nurse’s station or inside main examining rooms.
  • Effectively manage both electronic and paper-based administration within a clearly defined workflow.

When it comes to disposing of documents, enacting a “shred all” policy can help ensure that unneeded papers are properly destroyed. Furthermore, the U.S. Department of Health & Human Services requires “proper disposal methods,” which include shredding personal health information in paper records so that the personal health information is rendered unreadable, indecipherable, and otherwise cannot be reconstructed.

Using the cross-cut method of shredding, Shred-it’s procedures make it nearly impossible to piece together the information once it has been shredded. Furthermore, Shred-it also destroys hard drives, meaning that medical records that are stored electronically can also be erased safely and efficiently. Customers also have the option of watching the process from inside the truck, making sure it’s secure

Get the Newsletter